plugin
plugin copied to clipboard
homebridge-eufy-security
[Bug]: RSA_PKCS1_PADDING
What happened?
I am still on node 20.11.0 due to the RSA_PKCS1_PADDING issue. Will this ever be addressed or is this a permanent issue which can not be remedied? Thank you for giving me (and others) some information.
Device Type
Doorbell (Supported)
Plugin Version
v3.0.x (Best Effort)
HomeBridge Version
v1.7.x (Supported)
NodeJS Version
v20 (Supported)
Operating System
Raspbian 10+ (Supported)
Relevant log output
see above
config
see above
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
potentially relevant: https://github.com/homebridge-eufy-security/eufy-security-client/commit/dff3508e8ba7d892e6a7e9902e1479a483e0d3ee
Thank you for the information! I am on openssl 3.0.15 and node 20.11.0 (the last node version which supported RSA_PKCS1_PADDING). Do you think it is safe to update to node 20.18.0 (LTS) and not have the RSA_PKCS1_PADDING issue anymore?
That change hasn't been incorporated into the plugin yet - so if you upgrade node, you'll at least break live-streaming.
Having said that, I'm running node 20.18.0, but you need to add a launch command line flag to revert the node deprecation.
You can't set it the flag in NODE_OPTIONS, it has to go into the homebridge start script.
I created a pre-start file that does the needful. YMMV, and no warranty expressed or implied.
Note: I'm running homebridge in an lxc/lxd container, there may be a way to do a similar thing if you're running out of docker, but 🤷. Oh, and the scary error message about incompatible node versions will still appear in the logs, because the code that "tests" node is just doing a simple version compare.
# cat /etc/hb-service/homebridge/prestart.d/99-revert-cve-2023-46809
#!/bin/bash
CVE=CVE-2023-46809
CVE_REVERT_ARG="--security-revert=$CVE"
NODE_EXE_PATH=/opt/homebridge/bin/node
HOMEBRIDGE_START=/opt/homebridge/start.sh
grep -q -- "$CVE" "$NODE_EXE_PATH"
NEEDS_CVE_REVERT=$?
grep -q -- "$CVE_REVERT_ARG" "$HOMEBRIDGE_START"
HAS_CVE_REVERT=$?
LAUNCH_CMD="\$HB_SERVICE_NODE_EXEC_PATH \$HB_SERVICE_EXEC_PATH"
if [ "$HAS_CVE_REVERT" != "$NEEDS_CVE_REVERT" ]; then
if [ "$HAS_CVE_REVERT" == "0" ]; then
echo "removing CVE revert from start script..."
sed -i.bck -- s/"$CVE_REVERT_ARG "//g $HOMEBRIDGE_START
else
echo "inserting CVE revert from start script..."
sed -i.bck -- s/"\$HB_SERVICE_NODE_EXEC_PATH \$HB_SERVICE_EXEC_PATH"/"\$HB_SERVICE_NODE_EXEC_PATH $CVE_REVERT_ARG \$HB_SERVICE_EXEC_PATH"/g $HOMEBRIDGE_START
fi
fi
If the node binary contains the CVE string, the argument is added to the launch command:
# diff -wu /opt/homebridge/start.sh.bck /opt/homebridge/start.sh
--- /opt/homebridge/start.sh.bck 2024-11-09 13:12:39.180010597 +0000
+++ /opt/homebridge/start.sh 2024-11-09 14:56:03.137404407 +0000
@@ -37,4 +37,4 @@
rm -rf $HB_SERVICE_STORAGE_PATH/node_modules/homebridge-config-ui-x
fi
-exec $HB_SERVICE_NODE_EXEC_PATH $HB_SERVICE_EXEC_PATH run -I -U $HB_SERVICE_STORAGE_PATH -P $HB_SERVICE_STORAGE_PATH/node_modules --strict-plugin-resolution "$@"
+exec $HB_SERVICE_NODE_EXEC_PATH --security-revert=CVE-2023-46809 $HB_SERVICE_EXEC_PATH run -I -U $HB_SERVICE_STORAGE_PATH -P $HB_SERVICE_STORAGE_PATH/node_modules --strict-plugin-resolution "$@"
Thank you for the extensive information. Maybe bropat will be able to incorporate the changes into the plugin soon.
Looks like nothing has happened to this issue so far. Is there still a chance that someone could fix the plugin please?
Hello @guitardoc
Please have a look on https://github.com/homebridge-eufy-security/plugin/wiki/Node.js-Compatibility-with-Eufy-Security-Plugin
